: Well, I can imagine that some of them are able to validate and verify
: the vulns since some of them are 'fluent C speakers' and they're always
: looking for people with such skills. But ALL vulns? I don't think that's
: true...
I am fairly sure they validate and dig into vulnerabilities sometimes,
just as Christey does. There are times where I get information, dig up a
changelog entry and move on. Three or four days later Secunia will release
their advisory with a little more details, and it seems it is from their
own examination of the code.
But.. how do they validate the high end expensive software? How do they
validate extremely vague information on closed source products? That is
where i wonder if the wording is a little far reaching.